Ecommerce sites can open up a raft of avenues for fraud and hackers.(Image via iStock)
A single day doesn’t go by without hearing about someone, or some group, penetrating a website and stealing credit card or other sensitive data from ecommerce sites.
According to a 2012 Sophos Security Threat Report, an average 30,000 websites are hacked every day. As we approach the end of 2015, this number has likely become even greater.
So, how do you protect your ecommerce site from being hacked and sensitive customer data from being stolen?
1. Choose a secure ecommerce platform
Development teams and companies might usually decide to build an ecommerce solution from the ground up.
Most of the time, this is a bad decision to take as it entails a lot of costs and security risks. Alternatively, when building an ecommerce website, it is faster, easier and less risky in terms of security to use an existing ecommerce platform on which to base your own.
Adopting and customizing ecommerce solutions to the needs of your own website will save your team time, money, human resources and will provide a good base of security practices already built-in by the ecommerce solution vendors.
2. Use a secure connection for checkout (SSL)
The internet works on the HTTP protocol for transferring information from the user’s browser to the hosting servers. HTTP by its nature is not secure in transferring secure information, that’s because by default it does not implement any type of encryption on the data being transferred.
This puts your ecommerce website users at the mercy of hackers on the same network, sniffing for information that is being sent. These could include passwords, credit card numbers, and addresses, all through what is commonly termed a 'man in the middle attack'.
A solution to this problem is to implement your ecommerce website on a more secure protocol which is HTTPS.
HTTPS implements an SSL (Secure Socket Layer) certificate that enables all communication between the user’s web browser and the ecommerce website server to be completely encrypted. The encryption in communication ensures that the user’s information is not exposed to anyone monitoring the network traffic.
3. Don't store sensitive user data
Websites usually store a lot of information about users in their databases.
One good security practice is to not store any sensitive financial information about your users in the database after they complete their purchases.
Users who wish to use the site again can simply re-enter their financial information when they need to purchase and the site will use it for only that one transaction, and not keep the information.
This practice will reduce the risk of stealing credit card and bank information of users.
4. Request strong passwords from your users
Most of the time the website does not have a lot of control on what passwords a user chooses.
Hackers are trained to guess this type of simple passwords through techniques known as social engineering.
In order to tackle this problem, you can implement additional validation rules on your sign up forms asking your users to choose more sophisticated passwords that are harder to break. This can be done by getting them to use a combination of upper and lower case letters, numbers, and special characters.
5. Setup system alerts for suspicious activities
Tracking user activity is very important on any website for analyzing user behavior, and security purposes.
Setting up tracking on specific sections and user behaviors is especially important.
For example, your ecommerce platform should be tracking anyone who goes to login or signup to your platform, looking at how frequent their trials are and where the origin of their IP address is.
Tracking such information will allow you to detect attackers trying to do brute force attacks on your website’s forms, such as an XSS or SQL Injection.
6. Use tracking numbers for all orders
When selling physical goods you should use tracking numbers for all orders that need to be shipped to customers on your site.
It is very important to use a tracking code or number on all packages.
This practice is beneficial for combating fraud and identify theft.
Knowing to whom, where and how the packages are being sent is an important step in securing and increasing user trust in your ecommerce website.
The tracking of packages will allow you to better identify your customers by confirming their billing and shipping addresses.
It also helps in preventing ‘charge-back fraud’ where a user might say they didn’t receive an order, and then demand a refund, when actually they did get their item delivered.
7. Always backup your system and database
Last but definitely not least, it is an absolute necessity for your team to invest in a backup strategy.
Backups allow you to keep copies of your data for referring to it in case any problems occur on the main server of your ecommerce application.
Online backups are needed for data redundancy (the replication of data as a backup), that is you can switch to those backups automatically in case your primary server that is serving your ecommerce solution fails or is compromised.
In addition to that, having an offline backup solution that allows you to keep a copy of all your data on your local office servers is very important.
Local backups allow you to cater for disaster situations in case they happen with your hosting provider or data centers.
Getting your ecommerce solution back up and running can be as simple as uploading your data to another hosting provider in such a case, thus minimizing downtime for your users and business.
Do you have additional tips and practices that your own ecommerce startup follows? We’d love to hear your thoughts.